JP2005130121A - Network management apparatus, method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the accuracy of determining a DoS attack in an IP network, to shorten a route detecting time, and further to reduce the number of times of transmission of IP tracing back reverse searching packets. <P>SOLUTION: A server 1B judges the presence or absence of a DoS attack by cooperation among first-fourth functions etc. The first function is a function of regularly collecting and managing traffic information for each IP address, comparing this managed traffic information with present traffic information, and judging a DoS attack if the difference between both the information is equal to or more than a predetermined threshold in which increase/decrease in the number of links with its own homepage is added as a judgement condition of the DoS attack. The second function manages the history of the DoS attack for each IP address to judge the presence or absence of DoS attack by the frequency of DoS attack during a predetermined period. The third function judges the presence or absence of DoS attack by the contents of description of payload of received data. The fourth function monitors resources of a server possibly being a target of DoS attack in its own domain to judge the presence or absence of the DoS attack. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to, for example, an apparatus, method, and program for managing an IP network, and more particularly, to a network management apparatus, a network management method, and a network management program that determine whether a DoS attack has occurred and appropriately transmit an IP traceback reverse detection packet.

  Conventionally, a denial of service (Dos) attack that makes it difficult to provide a service by transmitting a large amount of data or illegal packets has been a problem. In this Dos attack, a general method is to send a large number of packets to a specific Internet server, thereby causing the server to be attacked to run out of resources and make it inaccessible. A predetermined tool is used for this DoS attack, but the attack target and method differ depending on the tool.

  As typical tools, there are Smurf Dos for executing an echo request by ICMP (Internet Control Message Protocol), TFN using SYN (synchronous) technology, and the like. In many cases, it is difficult to specify an attack source because an attack from a different computer called a distributed DoS (DDos) attack is performed.

  In view of such problems, Non-Patent Document 1 discloses a reverse detection packet method in performance evaluation of traffic volume and attack path reconfiguration time of the IP traceback reverse detection packet method. In this method, by IP option traceback, an IP packet that is assumed to be an attack source is tracked in an autonomous system (AS) unit, passing AS information is stored in a trace packet, and the attack source is based on that information. Is building a path.

On the other hand, in Patent Document 1, the access request received from the client computer is accepted instead of the server computer, and the validity of the received access request packet is checked, and only when the validity is recognized, the server A technique for transferring a packet to a computer is disclosed. In this technique, the access request packet is a series of connection request packet, confirmation response packet, and data request packet as an access validity checking means as a valid access request condition.
JP 2003-173300 A Yuko Sawai, Nara Institute of Science and Technology, “Performance evaluation of traffic volume and attack path reconstruction time for IP traceback reverse detection packet method”, [on line], [October 8, 2003 search], Internet < URL: http://www.ieice.org/cs/ia/ipn/conference/200207/presentation/Sawai.pdf>

  In the technique disclosed in Non-Patent Document 1, a trace packet is transmitted with a probability P in order to identify an attack source. This probability P affects the number of trace packets and the attack path detection time. That is, as the probability P increases, the number of trace packets increases, but on the other hand, the traffic increases, increasing the possibility of causing congestion. On the other hand, if the probability P is small, the attack path detection time increases. As the detection time becomes longer, the possibility of service interruption increases, making it difficult to identify the source of the attack and avoiding the attack, resulting in increased damage. Also, with this technology, no determination is made as to whether or not it is a DoS attack.

  In addition, there is a limit in accuracy because IP traceback reverse detection packets are transmitted to unspecified packets. Increasing the generation probability of trace packets to increase accuracy increases the number of trace packets, resulting in congestion. May cause.

  On the other hand, in the conventional technique disclosed in Patent Document 1, when a packet related to a DoS attack is a series of connection request packets, confirmation response packets, and data request packets, the validity of the DoS attack can be evaluated. The problem is not possible.

  The present invention has been made in view of the above problems, and its object is to improve the accuracy of DoS attack determination in an IP network and shorten the route detection time by comprehensive judgment based on different policies of a plurality of agents. In addition, the influence on traffic is reduced by reducing the number of IP traceback reverse detection packet transmissions.

  In order to achieve the above object, according to a first aspect of the present invention, in a network management apparatus that is connected to an information communication network together with a plurality of terminal devices and manages traffic information of data transmitted from the terminal device, the terminal Traffic information management means for periodically collecting and managing device traffic information for each IP address, traffic information comparison means for comparing the traffic information managed by the traffic information management means with current traffic information, and A DoS determination means for determining a DoS attack when the difference between the two values compared by the traffic information comparison means is equal to or greater than a predetermined threshold, and a reverse detection packet when the DoS determination means determines a DoS attack. And a reverse packet transmission means for transmitting the network management device. It is provided.

  According to a second aspect of the present invention, there is provided the network management device according to the first aspect, further characterized in that the threshold value is a constant corresponding to a transmission rate.

  In a third aspect of the present invention, in a network management device that is connected to a plurality of terminal devices via an information communication network and manages traffic information of data transmitted from the terminal device, the traffic information of the terminal device is transferred to the IP Periodically collecting and managing for each address, comparing the managed traffic information with the current traffic information, and determining that the difference between the two values, which are the comparison results, is greater than or equal to a predetermined threshold value, a DoS attack The first function in which the increase / decrease in the number of links to the home page is further added as a DoS attack judgment condition, and the DoS attack history is managed for each IP address. The presence of a DoS attack depends on the second function for determining the presence or absence of an attack and the description content of the payload of the data received from the terminal device. The DoS attack is performed using at least one of the third function for determining the resource and the fourth function for monitoring the server resources that can be attack targets in the own domain and determining the presence or absence of the DoS attack. There is provided a network management apparatus having DoS determination means for determining presence or absence.

  According to a fourth aspect of the present invention, in the third aspect, the DoS determination means includes a cost value conversion means for converting the determination results by the first to fourth functions into a cost value, and each of the cost values. And a total number calculating means for calculating a total sum of values obtained by multiplying IP addresses, port numbers or constants according to applications, and further determining a DoS attack according to the total number. A management device is provided.

  According to a fifth aspect of the present invention, in the third or fourth aspect, the DoS determination means compares the traffic information managed by the traffic information management means with the current traffic information, and compares the difference between the two values. Provided is a network management device further comprising means for causing the external device to manage current and subsequent traffic information when the value is equal to or greater than a predetermined threshold, and further determining a DoS attack in the external device. Is done.

  According to a sixth aspect of the present invention, in the network management method by the network management device that manages the traffic information of the data transmitted from the terminal device connected via the information communication network, the network management device includes: Traffic information is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and if the difference between the two values compared is equal to or greater than a predetermined threshold, a DoS attack And a network management method characterized by transmitting a reverse detection packet.

  According to a seventh aspect of the present invention, in the network management method by the network management device for managing the traffic information of the data transmitted from the terminal device connected via the information communication network, the network management device includes: When traffic information is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values as a comparison result is greater than or equal to a predetermined threshold value A function for determining a DoS attack, the first function in which the increase / decrease in the number of links to the homepage is further added as a DoS attack determination condition, and the DoS attack history is managed for each IP address. A second function for determining the presence / absence of a DoS attack according to the frequency, and a payload of data received from the terminal device; At least one of a third function for determining the presence or absence of a DoS attack and a fourth function for monitoring a server resource that can be an attack target in the own domain and determining the presence or absence of a DoS attack There is provided a network management method characterized by determining the presence or absence of a DoS attack using a single function.

  According to an eighth aspect of the present invention, in the network management program used for the network management apparatus that manages the traffic information of the data transmitted from the terminal apparatus connected via the information communication network, the network management apparatus includes the terminal apparatus. Traffic information is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values compared is equal to or greater than a predetermined threshold. A network management program for determining an attack and transmitting a reverse detection packet is provided.

  According to a ninth aspect of the present invention, in the network management program used for the network management apparatus that manages the traffic information of the data transmitted from the terminal apparatus connected via the information communication network, the network management apparatus includes the terminal apparatus. When the traffic information is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values as a comparison result is equal to or greater than a predetermined threshold value A function for determining a DoS attack, a first function in which increase / decrease in the number of links to the homepage is further added as a DoS attack determination condition, and a DoS attack history is managed for each IP address, and a DoS attack for a certain period of time The second function for determining the presence or absence of a DoS attack according to the frequency of the data, and the data received from the terminal device At least one of a third function for determining the presence or absence of a DoS attack based on the description content of the payload and a fourth function for monitoring a server resource that can be an attack target in its own domain and determining the presence or absence of a DoS attack A network management program for determining the presence or absence of a DoS attack using one function is provided.

  According to the present invention, the accuracy of DoS attack determination in an IP network is improved by comprehensive judgment based on different policies of a plurality of agents, the route detection time is shortened, and the number of IP traceback reverse detection packets transmitted is reduced. It is possible to provide a network management apparatus and a network management method that reduce the influence on traffic by reducing the traffic.

  Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a conceptual diagram of a network management apparatus according to an embodiment of the present invention. The network management device corresponds to the server 1A or 1B.

  As shown in FIG. 1, a plurality of routers 3 </ b> A to 3 </ b> D are communicably connected in the AS 4. Among these routers 3A to 3D, the router 3A, which is an edge node, is connected to an external information communication network (network) 5, and a server 1A for monitoring traffic information is connected to the router 3A so as to be able to communicate. . The server 1A is connected to a database (hereinafter abbreviated as DB) 2A for storing periodically collected traffic information as a traffic pattern. The router 3A is also communicably connected to a server 1B inside or outside the network domain. The server 1B is connected to a DB 2B that stores traffic information that is a candidate for DoS attack. In the present embodiment, a DoS attack discrimination agent that determines the DoS attack identification and the handling of traffic information stored in the DB 2B is resident in the server 1B. This agent will be described later.

  In the network management apparatus according to such an embodiment, for example, the servers 1A, 1B and the like have the following operations. More specifically, for example, in either the server 1A or 1B, traffic information of external terminal devices connected via the network 5 is periodically collected and managed for each IP address. The current traffic information is compared with the current traffic information, and if it is determined that the DoS attack is a case where the difference between the two values compared is equal to or greater than a predetermined threshold, a reverse detection packet is transmitted.

  The threshold value may be a constant corresponding to the transmission rate.

  Alternatively, for example, in either the server 1A or 1B, the traffic information of the terminal devices connected via the network 5 is periodically collected and managed for each IP address, and the managed traffic information and the current traffic information are collected. Is a function for determining a DoS attack when the difference between the two values as a comparison result is equal to or greater than a predetermined threshold, and a link in which increase / decrease in the number of links to the homepage is further added as a DoS attack determination condition Agent function, DoS attack history for each IP address, Frequeny agent function that determines the presence or absence of DoS attack according to the frequency of DoS attack in a certain period, and the description contents of payload of data received from the terminal device Appcheck agent function to determine if there is a DoS attack and attacks within your domain The resource of the server that can be hit is monitored, and the presence or absence of the DoS attack is determined using at least one of the SrvrMonitor agent function that determines the presence or absence of the DoS attack.

  Furthermore, although details will be described later, in either the server 1A or 1B, a value obtained by converting the determination result by these functions into a cost value and multiplying each cost value by a constant corresponding to the IP address, port number, or application. Is calculated as a total number, and a DoS attack is determined according to the total number. Also, the traffic information managed by one server (for example, server 1A) is compared with the current traffic information, and if the difference between the two values is equal to or greater than a predetermined threshold, another server (external device) ( For example, the server 1B) manages the current and subsequent traffic information, and determines the DoS attack in the external device. It goes without saying that the above operation is performed by the servers 1A and 1B as network management devices, or other servers (not shown) alone or in cooperation with a plurality of servers.

  Next, FIGS. 2 and 3 further illustrate and explain the configurations of the servers 1A and 1B.

  Note that the functions of the servers 1A and 1B described below are merely specified as an example for convenience of description, and the functions of the servers 1A and 1B may be interchanged or some functions may cooperate.

  First, as shown in FIG. 2, the server 1A has a traffic collection function 11, a traffic comparison function 12, a traffic pattern creation function 13, a traffic pattern collection / storage function 14, a communication function 15, and a traffic judgment function 16. ing.

  The traffic collection function 11 and the traffic pattern collection / storage function 14 can communicate with the DB 2A. The communication function 15 can communicate with a plurality of terminal devices (not shown) via the server 1B and the external network 5.

  In such a configuration, the traffic collection function 11 periodically collects traffic information for each IP address. The traffic pattern creation function 13 creates a change in transmission rate for each day, week, month, and year as a traffic pattern for each IP address for the collected traffic information. The traffic pattern collection / storage function 14 stores the traffic pattern in the DB 2A. The traffic comparison function 12 compares the transmission rate for each source address collected by the server 1A and the traffic pattern stored in the DB 2A. The traffic judgment function 16 receives the result of this judgment, and if a difference of a predetermined value or more occurs between the two, the traffic judgment function 16 automatically determines the IP packet via the communication function 15 in order to judge the presence or absence of the Dos attack. The data is stored in the DB 2B via the server 1B installed in / out of the network domain. At this time, that is, when it is determined that the attack is a Dos attack, an IP traceback reverse detection packet may be transmitted. The predetermined value is a constant determined in advance according to the transmission rate, but is not limited to this.

  Here, the traffic information management means described in the claims corresponds to the traffic collection function 11, the traffic pattern creation function 13, the traffic collection / storage function 14, etc., and the traffic information comparison means corresponds to the traffic comparison function 12. The Dos determination means corresponds to the traffic determination function 16 and the like, and the reverse packet transmission means corresponds to the communication function 15 and the like. However, it is needless to say that these relationships are not limited.

  Next, as shown in FIG. 3, the server 1B includes a traffic collection / storage function 21, a link agent function 22, a frequency (hereinafter referred to as “Frequency”) agent function 23, and an application check (hereinafter referred to as “Appcheck”) agent function 24. , A server monitor (hereinafter referred to as SrvrMonitor) agent function 25, a communication function 26, a ranking / cost value determination function 27, and a correction value determination function 28. That is, the server 1B has various agent functions 22 to 25 that cooperate in order to determine a DoS attack.

  In such a configuration, the traffic collection / storage function 21 periodically collects traffic information for each IP address and stores it in the DB 2B. Although the details will be described later, the ranking / cost value determining function 27 determines a cost value corresponding to the ranking with reference to a table in which the ranking and the cost value are associated with each other. The link agent function 22 determines the reliability of the specified value based on the link pattern change and the number of links collected periodically. The Frequency agent function 23 records an IP address that has been subjected to a DoS attack in the past, and determines the possibility of a DoS attack based on the frequency of the DoS attack over a certain period.

  Then, the Appcheck agent function 24 determines the possibility of DoS attack based on the description contents of the payload of the IP packet collected from the server 1A. The SrvrMonitor agent function 25 manages the resources of Web servers, FTP servers, and mail servers that can be attack targets in its own domain, and determines the possibility of DoS attacks. The correction value determination function 28 determines the cost correction constant (correction value) and the total number, as will be described in detail later, based on the determination results of the various agents 22 to 25 as described above.

  The first function described in the claims corresponds to the link agent function 22 or the like, the second function corresponds to the Frequency agent function 23 or the like, and the third function corresponds to the Appcheck agent function 24 or the like. The fourth function corresponds to the SrvrMonitor agent function 25 or the like. The Dos determination means is a broad concept including a ranking / cost value determination function 27, a correction value determination function 28, and the like. Further, the cost value conversion means described in the claims corresponds to the ranking / cost value determination function 27 and the like, and the total number calculation means corresponds to the correction value determination function 28 and the like. However, it is not limited to these relationships.

  Hereinafter, the operation of the above configuration will be described in detail with reference to the flowchart of FIG.

  This corresponds to the network management method according to the present embodiment. Or, it corresponds to the algorithm of the network management program according to the present embodiment.

  First, the server 1A periodically collects traffic information for each IP address by the traffic collection function 11 at an edge node connected to the external network 5 (step S1). The information collected by the server 1A includes, for example, traffic information for each day, month, week, and year. The traffic information includes a transmission source address, a destination address, a measurement time, a transmission rate, and the like as shown in FIG.

  Then, the server 1A uses the traffic pattern creation function 13 to create a change in transmission rate for each day, week, month, and year as a traffic pattern for each IP address on the basis of the collected various information. The data is stored in the DB 2A by the storage function 14 (step S2). The traffic pattern is, for example, as shown in FIG. 8, and includes a transmission source address, a destination address, a change in traffic (1 day, week, month, year), and a threshold value for determining the possibility of Dos attack. . However, it is not limited to this.

  Subsequently, the server 1A determines a DoS attack. That is, the traffic comparison function 12 compares the transmission rate for each source address collected by the server 1A with the traffic pattern stored in the DB 2A (steps S3 and S4), and determines a predetermined value (according to the transmission rate) between the two. When a difference greater than or equal to a predetermined constant) occurs, the communication function 15 stores the IP packet in the DB 2B via the server 2A installed in / outside the own network domain. The IP packet stored in the DB 2B is an IP address in which all the traffic flowing into the own network domain partially or a difference of a predetermined value or more has occurred.

  When the server 1A processes alone, a predetermined reverse detection packet is transmitted when it is determined that a DoS attack occurs when the difference between the two values compared is equal to or greater than a predetermined threshold. Of course, it may be.

  Next, for the IP packets collected in the DB 2B by the communication function 26 and the traffic collection / storage function 21, a plurality of DoS attack discrimination agent functions 22 to 25 having different policies in the server 1B cooperate with each other in the DB 2B. The DoS attack is determined for the stored traffic (steps S5 to S11). That is, the link agent function 22, the frequency agent function 23, the Appcheck agent function 24, and the SrvrMonitor agent function 25 as DoS attack discrimination agents determine the possibility of a DoS attack based on the respective algorithms.

  Hereinafter, each agent function will be described in more detail.

  The link agent function 22 ranks the reliability of the determination against the DoS attack according to the number of links of the Web page on the Internet and the change in the number of links, and the change in the past link number and the current link number is a predetermined threshold value. If it is below, it is determined as a DoS attack. In general, if there is a certain difference between the traffic pattern and the current traffic transmission rate, there is a possibility of a DoS attack, but there is a possibility of an increase in traffic due to an error or an increase in the number of accesses. Therefore, the link agent function 22 examines the possibility of DoS attack based on the number of links on the Web page and the change in the number of links. The number of links attached to the Web page is a parameter indicating importance / popularity, and the importance / popularity increases as the number of links increases. The number of links of web pages on the Internet and changes in the number of links are periodically collected and recorded in the DB 2B as a link pattern.

  This link pattern is as shown in FIG. 9, for example, and includes a transmission source address, a destination address, measurement time, and a link pattern (day, week, month, year). A tendency is judged from such a link pattern, and the possibility of DoS attack is ranked.

  The ranking conversion table is, for example, as shown in FIG. 10, and rank A (possibility of DoS attack; cost value A), rank B (possibility of DoS attack; cost value B), rank C (DoS attack). ); Cost value C), and rank D (very unlikely DoS attack; cost value D). That is, the link agent function 22 detects the traffic change from FIG. 8, and refers to the ranking conversion table of FIG. 9 determined in advance by the relative evaluation with the average traffic change, and the corresponding cost value. Will be determined.

  On the other hand, the frequency agent function 23 records an IP address that has been subjected to a DoS attack against the own domain / other domain in the past, and the frequency of the attack to the own domain / other domain exceeds a threshold for a certain period of time. Judged as a DoS attack.

  In general, when a DoS attack is carried out, a computer on the Internet is often used as a platform, and the computer used as a platform is considered to have a low security level. Security management requires a high level of knowledge and technology, and if these are lacking, there is a high possibility of being frequently used as a stepping stone. Therefore, the frequency agent function 23 records the past attack frequency for the own domain for each IP address, and examines the possibility of DoS attack based on the frequency for a certain period. The past attack frequency against the own domain is as shown in FIG. 11, for example, and the transmission source address, the destination address, the measurement period, and the number of attacks are associated with each other. The ranking conversion table is as shown in FIG. 12, and ranks and corresponding cost values are determined in advance by a relative evaluation with the average number of attacks.

  That is, in the example of FIG. 12, the IP address with a high attack frequency is rank A (cost value A), the IP address with a medium attack frequency is rank B (cost value B), and the IP address with a low attack frequency is rank C ( Cost value C) and IP addresses that have not been attacked in the past are rank D (cost value D). The frequency agent function 23 determines the cost value with reference to the ranking conversion table of FIG. 12 using the ranking / cost value determination function 27 after grasping the attack frequency and the like from FIG.

  The Appcheck agent function 24 checks the contents of the payload description for all or part of the IP addresses taken out, and determines a DoS attack. In many cases, a DoS attack tool is used for a DoS attack. In the case of a DoS attack using such roots, it can be found by examining the payload (for example, pattern matching). Therefore, the Appcheck agent function 24 performs payload inspection on all or part of IP addresses stored in the DB 2B. The configuration of the IPv4 header format and the IPv6 header format is as shown in FIGS. 5 and 6. In the case of IPv4, the portion shown as data (Data) in FIG. ) Inspect the part indicated.

  Since each format is general, further explanation is omitted.

  The result of this inspection is as shown in FIG. 13, for example, and the Dos attack type and the Dos attack discrimination pattern are associated with each other. The ranking conversion table is shown in FIG. 14. An IP packet determined to be a DoS attack packet is rank A (cost value A), and if it is not a Dos attack packet, rank D (cost value D) is set in advance. It has established.

  That is, the Appcheck agent function 24 detects the Dos attack type and the Dos attack discrimination pattern from FIG. 13, and uses the ranking / cost value determination function 27 to determine the cost value with reference to the ranking conversion table of FIG. It will be.

  The SrvrMonitor agent function 25 monitors the state of the server to be attacked in its own domain and determines a DoS attack. More specifically, when the ratio of the Syn packet to the TCP packet is equal to or greater than the threshold value, or when it is determined that the received IP address is illegal (for example, an IP packet other than the customer), it is determined as a DoS attack. In general, Dos attacks include those using SYN technology or ICMP echo request.

  The server 1B manages the relationship between the customer IP address and the port number using a table as shown in FIG. The server 1B monitors the ratio of the Syn packet to the TCP packet, compares the customer IP address and the received IP address, and creates a table as shown in FIG. Then, the possibility of Dos attack is determined from this table. The ranking conversion table is as shown in FIG. That is, this ranking is rank A (large possibility of Dos attack; threshold A, cost value E), rank B (possibility of Dos attack; threshold B, cost value F), rank C (possibility of Dos attack). Small; threshold C, cost value G), and rank D (possibility of Dos attack is extremely low; threshold D, cost value H). The SrvrMonitor agent function 25 uses the ranking / cost value determination function 27 to determine the cost value with reference to the ranking conversion table of FIG.

  As described above, each determination by the agent functions 22 to 25 is ranked, and a cost value corresponding to the determination is determined. Then, the correction value determination function 28 calculates the cost correction constants α, β, γ, θ with reference to the table of FIG. 18, and sets the total of the cost values calculated by the agents 22 to 25 as G. The action for the IP address is determined by the value of.

Here, the total sum G is
G = αCost (link agent) + βCost (Frequency agent)
+ ΓCost (Appcheck agent) + θCost (SrvrMonitor agent)
Α, β, γ, and θ are constants (0) that change depending on an access destination (for example, an HTTP server, a Mail server, or an FTP server) specified by, for example, an IP address, a port number, and an application type. Included).

  For example, the following measures can be considered.

G = 00-20: Forward traffic stored in DB2B to own network G = 21-40: Notify user / administrator of possibility of DoS attack G = 41-80: Notify user / administrator and Transmission of trace packet G = 81: Notification to user / administrator, transmission and discard of trace packet As an example, for the IP address stored in DB2B, the link agent has a cost value of 30 (rank B), and the Frequency agent has When the cost value is 40 (rank A), the Appcheck agent determines that the cost value is 0 (rank D), and the SrvrMonitor agent determines that the cost value is 0 (rank D), and α = β = γ = θ = 1, the total number G Is
G = 30 + 40 + 0 + 0 = 70
It becomes. In this case, in accordance with the above countermeasure, the server 1B performs notification to the user / administrator and transmission of the IP traceback reverse detection packet.

  As described above, the server 1B appropriately performs transmission of the IP traceback reverse detection packet, notification to the administrator / user, and transmission of the packet discard to the user according to the determination of the DoS attack determination agent (steps S12 to S14). ).

  As described above, according to the embodiment of the present invention, the accuracy of DoS attack determination can be increased by comprehensive determination based on a plurality of policies. Further, since the trace packet is generated after determining the presence or absence of the DoS attack, the number of trace packets transmitted can be reduced, and the load on the network can be reduced.

  Of course, the present invention is not limited to the above-described embodiment, and various modifications and changes can be made without departing from the spirit of the present invention. For example, the agents that cooperate for Dos attack determination are not limited to those described above.

The conceptual diagram of the network management apparatus which concerns on one embodiment of this invention. The figure which further embodied and showed the composition of server 1A. The figure which further embodied and showed the composition of server 1B. The flowchart for demonstrating the judgment procedure of the presence or absence of Dos attack by the network management apparatus which concerns on one embodiment of this invention. The figure which shows the IPv4 header format. The figure which shows the IPv6 header format. A table related to traffic information. A table related to traffic patterns. Table related to link pattern. The figure which shows the ranking conversion table which the link agent function 22 uses. A table related to the frequency of attacks against the domain of the past. The figure which shows the ranking conversion table which the Frequency agent function 23 uses. A table in which a Dos attack type is associated with a Dos attack discrimination pattern. The figure which shows the ranking conversion table which the Appcheck agent function 24 uses. A table related to the relationship between customer IP addresses and port numbers. A table related to the ratio of the number of Syn packets to the number of TCP packets. The figure which shows the ranking conversion table which the SrvrMonitor agent function 25 uses. Table relating to cost correction constants.

Explanation of symbols

  1A, 1B ... Server, 2A, 2B ... DB, 3A-3D ... Router, 4 ... AS, 5 ... Network, 11 ... Traffic storage function, 12 ... Traffic comparison Function, 13 ... Traffic pattern creation function, 14 ... Traffic pattern collection / storage function, 15 ... Communication function, 21 ... Traffic collection / storage function, 22 ... Link agent function, 23 ... Frequency agent function, 24 ... Appcheck agent function, 25 ... SrvrMonitor agent function, 26 ... communication function, 27 ... ranking / cost value determination function, 28 ... correction value determination function.

Claims (9)

In a network management device that is connected to an information communication network together with a plurality of terminal devices and manages traffic information of data transmitted from the terminal device,
Traffic information management means for periodically collecting and managing the traffic information of the terminal device for each IP address;
Traffic information comparison means for comparing the traffic information managed by the traffic information management means with the current traffic information;
A DoS determination means for determining a DoS attack when the difference between the two values compared by the traffic information comparison means is equal to or greater than a predetermined threshold;
Reverse packet sending means for sending a reverse detection packet when the DoS judging means judges a DoS attack;
A network management apparatus comprising:   The network management apparatus according to claim 1, wherein the threshold value is a constant corresponding to a transmission rate. In a network management device that is connected to a plurality of terminal devices via an information communication network and manages traffic information of data transmitted from the terminal device,
The traffic information of the terminal device is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values as a comparison result is equal to or greater than a predetermined threshold value. A first function in which a DoS attack is determined as a DoS attack determination condition, and an increase / decrease in the number of links to the homepage is further added as a DoS attack determination condition;
A second function for managing a DoS attack history for each IP address and determining the presence or absence of a DoS attack based on the frequency of DoS attacks over a certain period;
A third function for determining the presence or absence of a DoS attack based on the description content of the payload of data received from the terminal device;
A fourth function for monitoring the resources of servers that can be attack targets in its own domain and determining the presence or absence of a DoS attack;
A network management apparatus comprising DoS determination means for determining presence or absence of a DoS attack using at least one of the functions. The DoS determination means is:
Cost value conversion means for converting the determination results by the first to fourth functions into cost values;
A total number calculating means for calculating a total sum of values obtained by multiplying each cost value by a constant corresponding to an IP address, a port number or an application;
The network management device according to claim 3, further comprising: determining a DoS attack according to the total number. The DoS determination means is:
A means for comparing the traffic information managed by the traffic information management means with the current traffic information, and if the difference between the two values is greater than or equal to a predetermined threshold, causing the external device to manage the current and subsequent traffic information; In addition,
5. The network management device according to claim 3, further comprising: determining a DoS attack by the external device. In a network management method by a network management device that manages traffic information of data transmitted from a terminal device connected via an information communication network,
The network management device is
Collecting and managing the traffic information of the terminal device periodically for each IP address,
Compare this managed traffic information with the current traffic information,
When the difference between the two values compared is greater than or equal to a predetermined threshold, it is determined that the attack is a DoS attack and a reverse detection packet is sent
And a network management method. In a network management method by a network management device that manages traffic information of data transmitted from a terminal device connected via an information communication network,
The network management device is
The traffic information of the terminal device is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values as a comparison result is equal to or greater than a predetermined threshold value. A first function in which a DoS attack is determined as a DoS attack determination condition, and an increase or decrease in the number of links to the homepage is further added as a DoS attack determination condition;
A second function for managing a DoS attack history for each IP address and determining the presence or absence of a DoS attack based on the frequency of DoS attacks over a certain period;
A third function for determining the presence or absence of a DoS attack based on the description content of the payload of data received from the terminal device;
A fourth function for monitoring the resources of servers that can be attack targets in its own domain and determining the presence or absence of a DoS attack;
A network management method, wherein the presence or absence of a DoS attack is determined using at least one of the functions. In a network management program used for a network management device that manages traffic information of data transmitted from a terminal device connected via an information communication network,
The network management device is
Collecting and managing the traffic information of the terminal device periodically for each IP address,
Compare this managed traffic information with the current traffic information,
When the difference between the two values compared is greater than or equal to a predetermined threshold, it is determined that the attack is a DoS attack, and a reverse detection packet is sent.
Network management program for. In a network management program used for a network management device that manages traffic information of data transmitted from a terminal device connected via an information communication network,
The network management device is
The traffic information of the terminal device is periodically collected and managed for each IP address, the managed traffic information is compared with the current traffic information, and the difference between the two values as a comparison result is equal to or greater than a predetermined threshold value. A first function in which a DoS attack is determined as a DoS attack determination condition, and an increase or decrease in the number of links to the homepage is further added as a DoS attack determination condition;
A second function for managing a DoS attack history for each IP address and determining the presence or absence of a DoS attack based on the frequency of DoS attacks over a certain period;
A third function for determining the presence or absence of a DoS attack based on the description content of the payload of data received from the terminal device;
A fourth function for monitoring the resources of servers that can be attack targets in its own domain and determining the presence or absence of a DoS attack;
A network management program for determining the presence or absence of a DoS attack using at least one of the functions.

Images